The Atlanta-based company's Network Detective HIPAA Compliance module helps MSPs build automatically prepared technical documents that are required for clients' IT security compliance. That includes HIPAA Policy and Procedures documents, evidence of HIPAA Policy Compliance document, the HIPAA Risk Analysis and Management Plan, and the IT Security Exception Worksheet, all of which are required by law to comply with HIPAA. In addition to those documents, the tool creates a HIPAA compliance Risk Score to prioritize security issues that need to be addressed.

These documents are all required in the case of a government audit, which can affect both health-care organizations and their business associates, including law offices, insurance agencies, billing and even MSPs themselves. The problem for a lot of MSPs, Michael Mittel, president of RapidFire Tools, said, is that most of them have a covered entity or business associate as a client and need to make moves to support them or risk losing the customer.

"As an MSP you're almost forced into this HIPAA world, even if you don’t want to be. I don’t blame MSPs for not wanting to learn about HIPAA and embrace HIPAA. It's so complex. It's aggravating. It's frustrating. ... With this law if you want to keep your customer you have to be able to do these HIPAA audits, because if you don’t your competitor who is an MSP will say, "We'll do it," and you'll lose that business," Mittel said. "I think it's important for the MSP, the service provider to have the correct tools."

Being able to handle HIPAA compliance as part of a services portfolio means new revenue opportunities, Mittel said. Using the tool, MSPs can charge for individual risk analysis, build monthly reports to show the client is staying up to date, and begin offering a compliance-as-a-service solution that does risk analysis yearly, as required by the audits.

"From my perspective, this tool really does create a lot of opportunities for service providers to build out and take advantage of the growing health-care segment of the marketplace. Because this law affects everyone who does business with these companies ... literally anybody that might do business with a hospital that may be exposed to that data are themselves [at risk] by association," saidl Mittel. "It’s a giant opportunity that a lot of the service providers aren’t aware of that is literally in all of their backyards."

Pratik Roychoudhury, CEO of Tampa, Fla.-based Shield Watch, an MSP that has already begun using the HIPAA compliance tool, said Shield Watch already is building a strategy around being able to offer the tool to clients. Many of the company's clients are covered entities, meaning they have to comply with HIPAA laws, or are business associates of those clients, which means they also need to comply, he said. Shield Watch plans to offer the solution as part of its MSP package agreement, according to Roychoudhury.

"I think this tool is very helpful and I think we were just cracking the surface because this tool brings education to the market that chronically suffers from lack of education in high tech," he said.

Being able to offer HIPAA compliance measures helps build a great customer relationship and improve stickiness, Roychoudhury said. Beyond current clients, Shield Watch he plans to expand into more of the health-care market and bring on new clients with the tool.

"We were sort of piecing things together in a way to help our clients understand HIPAA compliance," Roychoudhury said. "[The tool] makes our job easier and help us get access to new markets and new industries. This is not only covered entities, but also business associates."

RapidFire began developing the tool six months ago in response to repeated requests from MSP clients. Through user studies conducted online, Mittel said MSPs were confused about the law, how to make sure their clients complied, and were themselves actually at a "heavy risk of exposure" as business associates of the covered entities.

"It's very early, but the response has been very strong. I think we've hit the nail on the head and hit the issues that resonate most with our MSPs," Mittel said.

The tool was built with the help of an industry expert, Mittel said, and was designed from the standpoint of what an auditor would be looking for in a government audit. For example, the process and procedure documents directly reference HIPAA code sections, which Mittel said is one of the big things an auditor looks for. Without compliance measures in place, fines for missing them can start at $50,000 and can go up to $1.5 million or more.

The tool will continue to evolve as RapidFire responds to feedback from its MSP clients, Mittel said. Later this year, Mittel said the company plans to launch a similar tool for PCI compliance for credit card transactions.